Embed Size (px)
Citation preview
by
Eman Hossny,
Sherif Khattab, Fatma Omara, Hesham Hassan
IBM Cloud Academy Conference ICACON 2015
Faculty of Computers and Information, Cairo University
Background
Motivation
Objective
BTB Service
EASI-CLOUDS project
Conclusion and Future Work
BTB Service, [email protected] 22 may, 2015. Slide (2 of 21)
Bot ◦ A Malicious software helps an attacker to gain full
control over a computer
Zombie ◦ A computer that is infected by a bot
Botnet ◦ A large number of bot-infected zombies.
◦ Under the control of an attacker (Bot master) ◦ Used to
launch DDoS
Send spam emails
Stole users' banking credentials
Install additional malware
BTB Service, Eman Hossny 22 may, 2015. Slide (3 of 21)
A study shows 40% of all computers connected to web are ◦ Infected bots and controlled by bot master.
BTB Service, [email protected] 22 may, 2015. Slide (4 of 21)
Cybercriminal Date
Attackers used DDoS to hack the BitBucket.org site, deployed on Amazon EC2
October, 2009
Attackers rented a set of Amazon EC2 VMs and initiate a massive attack.
Hacked more than 100 million personal accounts of Sony’s customer
April, 2011
Four of top malware sites are deployed on Amazon Web Services (AWS): e.g., Download-instantly.com and
powerpackmm.com
Therefore, Amazon is a hornet’s nest of malware
January, 2014
Law enforcement groups and private security companies have broken a huge botnet (Simda Botnet).
Simda Botnet: 770,000 compromised computers in 190 countries.
April, 2015
BTB Service, Eman Hossny 22 may, 2015. Slide (5 of 21)
…
BTB Bot TraceBack
BTB Service, Eman Hossny 22 may, 2015. Slide (7 of 21)
Terminologies
Use Cases
BTB Architecture
Detailed Operational Flow
Running Scenarios
BTB Service, [email protected] 22 may, 2015. Slide (8 of 21)
Attacking VM: this is the Bot VM.
Attacking IP address: this is the IP address of the bot VM.
Attacked VM: this is the victim VM.
Attacked IP address: this is the IP address of the victim VM.
BTB Service, Eman Hossny 22 may, 2015. Slide (9 of 21)
Security-aaS
BTB
Reporting
Service
Re
po
rt Atta
ck
Customer Portal
Security Operation
Center (SOC)
BTB
Detection
Service
Log Report
Lo
g V
Ms In
fo
Re
po
rt Bo
t VM
s
Reports & VMs DB
Monitoring
Pull Report
Pull VMs info
Help customers to send BTB reports to an IaaS Provider
Identify the Bot VM
Retrieve info about all available VMs
for all users
Store historical data about all
VMs
BTB Service, [email protected] 22 may, 2015. Slide (10 of 21)
Monitor
Report Checker
Report Parser
EASI-CLOUDS Send BTB Report
Forward the report to a specific cloud provider`
Store and update VMs info
DB
Parse and Store report
Run BTB To process a new report
Run the EASI-CLOUDS monitor API Every 5 min. To get the VMs logs
Search & Retrieve
BTB Detection
Service
Search & Update
BTB Service, Eman Hossny 22 may, 2015. Slide (11 of 21)
Security-aaS
BTB
Reporting
Service
Security
Operation Center
(SOC)
BTB
Detection
Service
Log Report
Log V
Ms
Info
Reports & VMs DB
Monitoring
Pull Report
Pull VMs info
GUI
Send report Check report
REST API
Send report REST API Check report REST API
Call
REST API
Token API VMs information API
Automatic Daemon
Report checker Update monitoring info
Call Both services are
deployed on CloudFoundry
Provided by an IaaS Cloud provider
Dumped on ClearDB online service
BTB Service, [email protected] 22 may, 2015. Slide (12 of 21)
BTB Reporting Service (Request)
BTB Reporting Service (Response)
Check Report Service ◦ The sent report is not processed till now
Check Report Service ◦ Finished and Caught the infected VM
Check Report Service ◦ Wrong Report ID
Aims to advance cloud computing in ◦ Europe, Egypt, and Korea
Provide a comprehensive cloud computing infrastructure ◦ Includes all layers (IaaS, PaaS, and SaaS)
◦ Satisfies reliability, elasticity, security and ease-of-use characteristics.
Wins ITEA Award of Excellence in the business category.
BTB Service, Eman Hossny 22 may, 2015. Slide (19 of 21)
BTB Service, [email protected] 22 may, 2015. Slide (20 of 21)
Bot Traceback (BTB) Service ◦ Objective: to identify a bot virtual machine inside
an IaaS cloud provider ◦ Functionality: Reporting and Tracing back the
presence of a bot inside an IaaS cloud provider in a federated environment.
◦ Implementation: implemented as a part of the security tools in the EASI-CLOUDS project.
Future Work ◦ Performance evaluation of the proposed BTB
service. ◦ Commercialization of the BTB service
BTB Service, Eman Hossny 22 may, 2015. Slide (21 of 21)
